1038 matches found
Padding Oracle Attack
OpenSSL is vulnerable to padding oracle attacks. The library does not check if there is enough data in both the MAC hash and padding bytes, allowing an attacker to recover the plain text by using the server as a padding oracle. Note: This vulnerability exists because of an incorrect fix for...
Medium: httpd24
Issue Overview: The following security-related issues were fixed: Padding oracle vulnerability in Apache modsessioncrypto CVE-2016-0736 DoS vulnerability in modauthdigest CVE-2016-2161 Apache HTTP request parsing whitespace defects CVE-2016-8743 Affected Packages: httpd24 Issue Correction: Run yu...
Padding Oracle Attack
bouncycastle is vulnerable to padding oracle attacks. In an environment where timings can be easily observed, it is possible to identify when the decryption is failing due to padding...
FormAssembly: formassembly.com is vulnerable to padding-oracle attacks.
Dear Formassembly bug bounty team, Summary --- formassembly.com is vulnerable to CVE-2016-2107, allowing remote attackers to obtain sensitive information via padding-oracle attacks. $ git clone https://github.com/FiloSottile/CVE-2016-2107.git $ go run main.go www.formassembly.com ... Vulnerable:...
Apache-mod_session_crypto module in the Padding Oracle vulnerability analysis-vulnerability warning-the black bar safety net
Recently, security researchers at theWeb serverApache modsessioncrypto module found a Padding Oracle vulnerability. An attacker can exploit this vulnerability to decrypt the session data, and even can be used to specify the data to be encrypted. Vulnerability details Product: Apache HTTP Server...
Unspecified Vulnerability in Apache HTTP Server
Apache httpd is the U.S. Apache Apache Software Foundation, an open source HTTP server developed and maintained specifically for modern operating systems. A security vulnerability exists in Apache httpd, which stems from the program's failure to properly parse HTTP headers. A remote attacker coul...
Apache mod_session_crypt 2.5 Padding Oracle
Advisory: Padding Oracle in Apache modsessioncrypto During a penetration test, RedTeam Pentesting discovered a Padding Oracle vulnerability in modsessioncrypto of the Apache web server. This vulnerability can be exploited to decrypt the session data and even encrypt attacker-specified data. Detai...
Apache mod_session_crypto - Padding Oracle
''' Advisory: Padding Oracle in Apache modsessioncrypto During a penetration test, RedTeam Pentesting discovered a Padding Oracle vulnerability in modsessioncrypto of the Apache web server. This vulnerability can be exploited to decrypt the session data and even encrypt attacker-specified data...
Apache mod_session_crypto - Padding Oracle
Apache modsessioncrypto - Padding Oracle ''' Advisory: Padding Oracle in Apache modsessioncrypto During a penetration test, RedTeam Pentesting discovered a Padding Oracle vulnerability in modsessioncrypto of the Apache web server. This vulnerability can be exploited to decrypt the session data an...
Apache mod_session_crypto - Padding Oracle Vulnerability
Apache modsessioncrypto versions 2.3 through 2.5 suffer form a padding oracle vulnerability. Padding Oracle in Apache modsessioncrypto During a penetration test, RedTeam Pentesting discovered a Padding Oracle vulnerability in modsessioncrypto of the Apache web server. This vulnerability can be...
UBUNTU-CVE-2016-0736
In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle...
CVE-2016-0736
In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle...
openssl: Padding oracle in AES-NI CBC MAC check
It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when the connection used the AES CBC cipher suite and the server supported AES-NI. A remote attacker could possibly use this flaw to retrieve plain text from encrypted packets by...
CVE-2016-4028
An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the...
CVE-2016-4028
An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the...
Design/Logic Flaw
An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the...
CVE-2016-4028
An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the...
CVE-2016-4028
Open-Xchange OX Guard (before 2.4.0-rev8) is affected by a padding oracle flaw in the authentication token handling when using AES-CBC. The API may reveal padding validity via error codes, enabling brute-forcing of a guest token’s contents (OxReaderID cookie and auth parameter) to potentially dis...
CVE-2016-6606
An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector...
CVE-2016-6606
An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector...